Bruce Schneier

 

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography

About Bruce Schneier

Contact Information

 

Schneier on Security

A blog covering security and security technology.

« Terrorist Bus Drivers | Main | U.S. Patent Office Spreads FUD About Music Downloads »

March 19, 2007

Social Engineering Diamond Theft

Nice story:

In what may be the biggest robbery committed by one person, the conman burgled safety deposit boxes at an ABN Amro bank in Antwerp's diamond quarter, stealing gems weighing 120,000 carats. Posing as a successful businessman, the thief visited the bank frequently, befriending staff and gradually winning their confidence. He even brought them chocolates, according to one diamond industry official.

[...]

Mr Claes said of the thief: "He used no violence. He used one weapon -- and that is his charm -- to gain confidence. He bought chocolates for the personnel, he was a nice guy, he charmed them, got the original of keys to make copies and got information on where the diamonds were.

"You can have all the safety and security you want, but if someone uses their charm to mislead people it won't help."

People are the weakest security link, almost always.

Posted on March 19, 2007 at 3:42 PM22 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

I don't think I'll read the linked article.....

... I'll just wait for the movie.

Posted by: nzruss at March 19, 2007 4:44 PM

Bruce, I think I'll have to disagree with you on this one. The weakest link in this case was not human but their security design. The vaults essentially allow any one trusted person to access anyone else's property. Its like giving me access to read everyone's gmail mail, just because I also have an account.

Posted by: Spider at March 19, 2007 5:29 PM

"""He used one weapon -- and that is his charm -- to gain confidence."""

Let's see the TSA try to ban that!

Oh, wait, they're already doing all they can to make people as grumpy and un-charming as possible...

Posted by: Thomas at March 19, 2007 5:47 PM

And sadly, George Clooney will probably net more money and work for less time making the movie then the actual jewel thief did :D

Posted by: Matt from CT at March 19, 2007 5:53 PM

@Spider: You do have access to read everyone's Gmail mail! Just enter their username and password into the login page! It's no different from the safety deposit box, just put in the key and twist...

As to where the username and password come from: same technique. Show up at Google HQ with some chocolates. Of course, they do get free gourmet food, so it might not work as well...

Posted by: Smee Jenkins at March 19, 2007 5:59 PM

Imagine being required to provide biometric data to purchase a car: its already happening in SoCal.

http://www.lornamatic.com/wordpress/?p=141

Posted by: Garrett at March 19, 2007 6:57 PM

The story said nothing about storing a squid in his locker and returning when it had emptied the neighbouring lockers.

Posted by: diamond geezer at March 19, 2007 7:10 PM

I wonder if Bruce could pull-off the same trick? Maybe with a shave and haircut...2 bits.

Posted by: Anonymous at March 19, 2007 8:05 PM

I agree with Spider -- the fault was in a vault design where anticipatable human error could allow one trusted individual to gain access to other customer's stones.

The story lacks details on what exactly the "electronic access key" and "originals of keys" exactly means to security, but it does seem their physical security was lacking.

Posted by: Kevin at March 19, 2007 8:15 PM

@Smee

They gave him a key to a common safe, where they thought he was storing his valuables. Thats like giving me root privileges on gmail's servers. Heck, even Microsoft has learned not to give users of their own computers that much power.

Posted by: Spider at March 19, 2007 11:16 PM

"Key to common safe ..." etc.

Just to clarify what the standard setup is for these security deposit vaults is:-

You have a strong room which is generally "open" during business hours.

In the strong room are lots of little safes.
Each safe contains a metal box, and each safe is opened by two keys. One in kept by a bank employee, one kept by the client.
To access you goodies you go with the bank employee into the vault he opens one lock with his key, you open one lock with your key, you then remove your metal box and take it to another private room where you are left alone until it is time to lock your goodies away and the procedure is reversed.

For convince the bank employees key works on all the safes the clients key should only work on his safe.

It would be fairly easy to fines some time alone to get a copy of the employees key, how he managed to get copies of the other clients key would seem to require some social engineering at genius level.

I think he deserves his 28 mil. lets see if he is audacious to get his share of the movie rights as well.

Posted by: supersnail at March 20, 2007 2:56 AM

And all because the lady loves...

Posted by: MasterofGuitars at March 20, 2007 4:40 AM

Someone has to be trusted in any security system. Always. Thats why DRM doesn't work. Its assume a invalid trust model.

Prodedues could reduce the problem but never remove them. I would think that some of the bank works voliated basic operating procedures (giving the key to a non-emplyee).

The || in DRM is that even with tamper resitant HW. You can still record the sound/movie from the speakers/monitors (I won;t go into quality issues, but they too can be solved.)

Banks have ussally been open to the "clasic" mafia class of attacts. Under this threat model trusted entitys become untrusted. Its real hard to solve.

Posted by: greg at March 20, 2007 6:32 AM

@diamond geezer:

I vote that post of the month, if not year!

Posted by: Rich at March 20, 2007 9:26 AM

Maybe the raided diamond cutters' safe deposit boxes were delieberately unlocked.

The cutters could decide to not lock their boxes to allow access to many people without bothering to pass the key between them. The cutters could have trusted the bank staff to not abuse their master key, and to allow access only to people that are personally known to the staff.

This is just a hypothesis that would explain the theft in light of the setup described by supersnail above.

Posted by: FP at March 20, 2007 10:12 AM

@supersnail

Ok, thanks for clearing that up. I don't have much experience in diamond vaults ;)

That is impressive.

Posted by: Spider at March 20, 2007 10:28 AM

Sounds like it's time for the "Month of Wetware Bugs" (MoWB). Betcha we could easily come up with 30 for April if we all try.

Posted by: bmcmahon at March 20, 2007 11:41 AM

HAH - banks. New Orleans had a few banks with their "safes" underground. How "safe" is that? When the inevitable happened, yes - they flooded.

The measures in place to get your sodden insurance papers after the hurricane? Guards with uzi's, limited number of people allowed into the formerly flooded vault, and illegal Mexicans with hair dryers to help you de-waterlog your precious documents (paid for by the banks, of course).

Posted by: derf at March 20, 2007 12:28 PM

I believe FP has it right

In the safe deposit boxes I have experience with, the "self serve" boxes are just like every other box except they have an employee key broken off inside the mechanism.

I can't see any reason why a customer couldn't ask to do it the other way around too.

Posted by: Rob Carlson at March 20, 2007 12:58 PM

really is so wonderfull this notice because the diamonds always are dirty and cover of blood of the poor workers in diamond mines , enter this site

www.apollodiamond.com

and see the new synthetic diamond of the future who you can pay friends.

Posted by: jose at March 20, 2007 8:51 PM

really he deserts the money, he is one genius, I dont promote robbery but , please it is amazing , and the volume stolen dont make soo much damage to the economy of a few jew jewelers in antwerp, please, they have money by the sufer of the poor workers in diamond mines in sudafrica and...

Posted by: jose at March 21, 2007 7:57 AM

These locks are simple to unpick with the right tool....have you tried?

Posted by: Maria Gourlai at October 23, 2007 7:39 PM

Subscribe to comments on this entry

Post a comment




E-mail is optional and will not be displayed on the site.


Remember Me?


Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Powered by Movable Type. Photo at top by Geoffrey Stone.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Blog Menu

Search


blog only
essays and op eds only
whole site

Blog Home Page
100 Latest Comments

Archives by Date

2012 J F
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D

Support Bloggers' Rights!
Defend Privacy--Support Epic
Latest Book
Liars & Outliers
more books by Bruce Schneier
Syndication
Full Text Feed
Excerpts Feed

Follow on Twitter
Subscribe via Kindle

Translations
German
Italian

more translations

Crypto-Gram Newsletter
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more